Skip to main content

Linux Kernel EUVDEUVD-2026-32479

| CVE-2026-46096 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-wq6x-xf86-6rwf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges sufficient to invoke TPM2 key reads; impact is a memory leak with no confidentiality or integrity effect, only availability.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:36 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()

tpm2_read_public() calls tpm_buf_init() but fails to call tpm_buf_destroy() on two exit paths, leaking a page allocation:

  1. When name_size() returns an error (unrecognized hash algorithm),

the function returns directly without destroying the buffer.

  1. On the success path, the buffer is never destroyed before

returning.

All other error paths in the function correctly call tpm_buf_destroy() before returning.

Fix both by adding the missing tpm_buf_destroy() calls.

AnalysisAI

Memory leak in the Linux kernel's TPM2 session subsystem allows a local low-privileged user to exhaust kernel memory over time via repeated invocations of the vulnerable tpm2_read_public() function. The function allocates a kernel buffer via tpm_buf_init() but fails to call tpm_buf_destroy() on both its success path and its error path triggered by an unrecognized hash algorithm, leaking a page allocation each time. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% at the 4th percentile reflects very low real-world exploitation probability.

Technical ContextAI

The vulnerability is located in the Linux kernel's tpm2-sessions subsystem (drivers/char/tpm/tpm2-sessions.c), which manages cryptographic session handling for TPM2 (Trusted Platform Module 2.0) devices. The function tpm2_read_public() allocates a kernel buffer via tpm_buf_init(), which internally reserves a page of kernel memory. On two exit paths - when name_size() returns an error due to an unrecognized hash algorithm, and on the normal success return - the corresponding cleanup function tpm_buf_destroy() is never called, constituting a classic CWE-401 (Missing Release of Memory after Effective Lifetime) resource leak. All other error paths in the function correctly invoke tpm_buf_destroy(). The CPE identifier cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* confirms multiple kernel version branches are affected across the 6.12, 6.18, and 7.x series.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel: version 6.18.27 or later in the 6.18.x stable series, 7.0.4 or later in the 7.0.x series, or 7.1-rc1 or later for mainline. Upstream fix commits are available at https://git.kernel.org/stable/c/2f434be87e256fd58254f60ddf5d7d58e775ca0b, https://git.kernel.org/stable/c/f0f75a3d98b7959a8677b6363e23190f3018636b, and https://git.kernel.org/stable/c/f8775d9d9062da662cc861f9ff7722a65896d4cd. Distribution maintainers (RHEL, Ubuntu, SUSE, Debian) should be checked for backported stable patches to their respective supported kernel versions. As a compensating control on systems that do not require TPM2 functionality, the TPM2 kernel modules (tpm_tis, tpm_crb) can be blocklisted or unloaded, which eliminates the vulnerable code path entirely; note this will disable TPM2-dependent features such as Measured Boot, LUKS disk encryption key unsealing via TPM2, and remote attestation - these trade-offs must be assessed per deployment.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32479 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy